LSI Security Question Fail

I was trying to register for access to the LSI download center and in the process I ran across a very interesting security question:

Gee, guys, if I knew what my password was I wouldn’t need the security question.

I also enjoy “What is your mother’s last name?” Consider that a disproportionate number of IT staff are men, and that, at least in the USA, women of my mother’s era usually took their husband’s last name. It’s highly probable that my mother’s last name is the same as mine…

This is all on top of the fact that it’s asking for passwords and such without SSL. I think it’s safe to say that your security is not their priority.

Share this:

Related

sad but true. this is a picture-perfect example of how poorly-implemented “security” fails: (1) lack of understanding of how to properly implement controls, (2) implementing “security” without a proper understanding (and further undermining the baseline, (3) duplicating someone else’s properly thought-out algorithm/methodology.

I think the “mother name” question is trying to refer to your mother’s maiden name, i.e. the last name she had _before_ marriage (not particularly secret, either, but still). I don’t get what’s the relevance of IT guys being usually men (unless you meant “not married women that had their last name changed”).

I know what it usually is — this is decidedly not that usual question! :) I was just trying to say that in the USA women often take their husband’s last name. Therefore women in IT who are married would probably not have the same last name as their mother. Men in IT would probably have the same last name as their mother, making that answer easily guessable. At any rate, it’s very easy to figure out my mother’s last name.

I’ve always had a problem with these kinds of questions because any determined hacker (black-hat) can discover all of that. Pretty easily.

I wouldn’t go as far as saying LSI doesn’t care about security as a whole, but their web design team certainly needs some advice. The sad thing is that it’s epidemic.. you rarely see a website with a decent authentication system.

It’s the front door, a gateway to further business with the company. When the front door is poorly secured & broken it reflects badly upon the rest of the business. I happen to think that LSI has some great products, they just need to get it together all the way around.

I’ve always hated security questions and think they should be banned from the internet entirely. If you forget your password you should get the option to request a temp password or an unique url to the website and they should be sent email. I’m emphasising the temp password part here, as e-mail is plaintext (at least most of the time). The url or the temp password should have a limited amount of time that it works as well.

Sure you can still hack the emailaccount but you should always take great care of that part of you internet identity as it is a vital part of it. If you have somebodies emailaccount you are pretty much in control of every other account he/she has.